ByteOS Network

CVE Vulnerability Details :

CVE-2026-27839

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-26 Feb, 2026 | 22:07

Updated At-26 Feb, 2026 | 22:07

▼CVE Numbering Authority (CNA)

wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrary PK. Commit 29876a1954fe959e4b58ef070170e81703dab60e contains a fix for the issue.

Affected Products

Vendor

wger-project

Product

wger

Versions

Affected

<= 2.4

Problem Types

Type	CWE ID	Description
CWE	CWE-639	CWE-639: Authorization Bypass Through User-Controlled Key

Type: CWE

CWE ID: CWE-639

Description: CWE-639: Authorization Bypass Through User-Controlled Key

Metrics

Version	Base score	Base severity	Vector
3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Hyperlink	Resource
https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86	x_refsource_CONFIRM
https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e	x_refsource_MISC

Hyperlink: https://github.com/wger-project/wger/security/advisories/GHSA-g8gc-6c4h-jg86

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/wger-project/wger/commit/29876a1954fe959e4b58ef070170e81703dab60e

Resource:

x_refsource_MISC

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References